Filed: Bug 535931 [https://bugzilla.mozilla.org/show_bug.cgi?id=535931]
On Sat, 19 Dec 2009, Douglas Stebila wrote:
Yes, you're correct that it should be done with respect to the size of the group order. If you file a Bugzilla report, you can add me to and I'll put together a patch if no one else does. On 2009-Dec-18, at 10:51 PM, Konstantin Andreev wrote:I have noticed, the following method is used in the ECC sign/verify routines to derive 'e' integer from a digest: ----( begin cite )---- /* In the definition of EC signing, digests are truncated * to the length of n in bits. * (see SEC 1 "Elliptic Curve Digit Signature Algorithm" section 4.1.*/ if (digest->len*8 > ecParams->fieldID.size) { /* u1 = HASH(M') */ mpl_rsh( &u1, &u1, digest->len*8 - ecParams->fieldID.size ); } ----( end cite )---- See the same at cvs blame: http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/freebl/ec.c&rev=1.20&mark=758-763,979-984#751 http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/freebl/ec.c&rev=1.20&mark=758-763,979-984#972 In the code above, the field size is used instead of base point order length. For most curves they are the identical, not not for all. This looks like a bug for me. Best regards, -- Konstantin Andreev, software engineer. Swemel JSC
-- dev-tech-crypto mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-crypto
